US20130212684A1 - Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices - Google Patents

Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices Download PDF

Info

Publication number
US20130212684A1
US20130212684A1 US13/734,467 US201313734467A US2013212684A1 US 20130212684 A1 US20130212684 A1 US 20130212684A1 US 201313734467 A US201313734467 A US 201313734467A US 2013212684 A1 US2013212684 A1 US 2013212684A1
Authority
US
United States
Prior art keywords
application
behaviors
determining
security
potential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/734,467
Other versions
US9063964B2 (en
Inventor
Xuyang Li
Chenfu Bao
Lei Wang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Original Assignee
TRUSTGO MOBILE Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TRUSTGO MOBILE Inc filed Critical TRUSTGO MOBILE Inc
Priority to US13/734,467 priority Critical patent/US9063964B2/en
Assigned to TRUSTGO MOBILE, INC. reassignment TRUSTGO MOBILE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BAO, CHENFU, WANG, LEI, LI, XUYANG
Publication of US20130212684A1 publication Critical patent/US20130212684A1/en
Application granted granted Critical
Publication of US9063964B2 publication Critical patent/US9063964B2/en
Assigned to BAIDU ONLINE NETWORK TECHNOLOGY (BEIJING) CO., LTD. reassignment BAIDU ONLINE NETWORK TECHNOLOGY (BEIJING) CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TRUSTGO MOBILE, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0282Rating or review of business operators or products
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2457Query processing with adaptation to user needs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • One way a user can decide whether to download an application is to look at user reviews of the applications. However, most often, the user reviews do not mention if any of the applications include a security risk or the application may become compromised after the user reviews were submitted. Thus, after downloading the application, the application may compromise the security of the mobile electronic device and possibly the data stored by the mobile electronic device. Even worse, the applications may also compromise the security of private enterprise networks if the networks are accessed from a compromised mobile electronic device.
  • a method determines a permission list from an application and generates a set of potential behaviors from the permission list.
  • the set of potential behaviors is associated with actions that the application allows when executing on a mobile device where the set of potential behaviors are determined without execution of the application.
  • the method determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application from the set of application marketplaces.
  • a required behavior list is generated including a set of required behaviors from the functional category information and the application description information.
  • the method compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors.
  • the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors.
  • a security rating is determined based on the set of security related behaviors.
  • a non-transitory computer-readable storage medium containing instructions, that when executed, control a computer system to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
  • an apparatus comprising: one or more computer processors; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
  • FIG. 1 depicts a simplified system for providing security according to one embodiment.
  • FIG. 2 depicts a more detailed example of risk assessment manager according to one embodiment.
  • FIG. 3 depicts a more detailed example of an analyzer manager and a security ratings manager according to one embodiment.
  • FIG. 4 depicts a more detailed example of the analyzer manager and the security ratings manager for a list of Android permissions according to one embodiment.
  • FIG. 5 depicts a simplified flowchart of a method for determining security ratings according to one embodiment.
  • FIG. 6 illustrates an example of a special purpose computer system configured with a security ratings system according to one embodiment.
  • Particular embodiments provide a security ratings system for applications offered by application marketplaces.
  • the security ratings may be tailored to how the applications operate and are used on mobile devices. A user may then review the security ratings and decide whether to download an application. Further, the security ratings may be sent to a user to warn the user of a possible security threat for an application currently residing on the user's mobile device.
  • FIG. 1 depicts a simplified system 100 for providing security according to one embodiment.
  • System 100 includes a back-end security system 102 that may interact with mobile devices 104 .
  • back-end security system 102 provides security services to mobile devices 104 , which download applications (apps) 108 from application marketplaces 106 .
  • Mobile devices 104 may be computing devices that can download applications 108 , such as smartphones, tablet computers, smart televisions, laptop computers, and personal computers.
  • Mobile devices 104 include a front-end security system 110 that may analyze applications 108 for security risks on mobile device 104 .
  • Front-end security system 110 evaluates applications 108 on mobile device 104 according to multiple independent aspects of security.
  • front-end security system 110 may interact with back-end security system 102 to send results of analysis of applications 108 on mobile device 104 .
  • front-end security system 110 may analyze the use of applications 108 , scan mobile device 104 for security risks, and then send information related to the analysis to back-end security system 102 .
  • back-end security system 102 includes a risk assessment manager 112 , an application recommendation manager 114 , and an application certification manager 116 .
  • Risk assessment manager 112 may assess the risk of applications 108 and provide a security rating based on the assessment.
  • the security rating may be tailored to how applications 108 are used on mobile devices 104 .
  • the security ratings may include certified, malicious, high-risk, and low-risk/noisy ratings. These security ratings will be described in more detail below.
  • Application recommendation manager 114 may recommend new applications to users.
  • application recommendation manager 114 may communicate with front-end security system 110 to determine the new application recommendations.
  • application recommendation manager 114 may use user preferences and user behaviors that are determined based on actions performed on mobile device 104 in addition to information from similar users, such as a user's friends in a social network, to determine the application recommendations.
  • application recommendation manager 114 may provide the application recommendations based on communication with front-end security system 110 .
  • front-end security system 110 may determine the application recommendations without communication with back-end security system 102 .
  • Application certification manager 116 provides certification that an instance of an application 108 in a marketplace 106 is an authentic copy. For example, an instance of an application 108 may be found in multiple application marketplaces 106 . However, specific instances of the application may not be certified copies. That is, other companies may copy an application 108 and/or modify an application 108 .
  • Application certification manager 116 scans applications 108 in application marketplaces 106 , and can determine whether applications 108 are a certified copy. Thus, when a user wants to download an application 108 from a specific application marketplace 106 , the user can review the application certification to determine whether to download the application. Additionally, the application certification may indicate to users, organizations, enterprises, application stores, device providers, networks, and/or any other interested party, that the application has adequate security. The security certification may be unique to each certified application so that users can validate its authenticity.
  • FIG. 2 depicts a more detailed example of risk assessment manager 112 according to one embodiment.
  • An analyzer manager 202 may analyze applications 108 to provide information to a security ratings manager 204 , which uses the information to determine security ratings for applications 108 .
  • the security rating is determined without analyzing information from mobile devices 104 . That is, how the application operates on mobile devices 104 is not analyzed to provide the security rating. This has a benefit in that malicious software may be determined before being downloaded onto mobile devices 104 where the applications could be harmful.
  • Analyzer manager 202 may receive application packages, which may include application executable program files and associated data resources, and application metadata, such as an application name, a description, an author, a price, a download count, a review score, reviews by users, comments, a category of the application, version, an operating system (OS), icons, thumbnails, a release date, and update dates. Analyzer manager 202 may then analyze the application package and provide information regarding the application to security ratings manager 204 . The analysis that is performed is described in more detail below.
  • analyzer manager 202 includes different automatic analyzer modules 206 , such as a cross-scanner 206 - 1 , a static analyzer 206 - 2 , a dynamic analyzer 206 - 3 , a signature scan engine 206 - 4 , a research formula analyzer 206 - 5 , a heuristic analyzer 206 - 6 , a root exploit analyzer 206 - 7 , and a permission analyzer 206 - 8 .
  • information from all of these analyzers is used, but only a portion of the analyzers may be used in other cases to determine security ratings.
  • Analyzer modules 206 such as a research formula analyzer 206 - 5 and heuristic analyzer 206 - 6 , access the application package and application metadata from the application database.
  • Research formula analyzer 206 - 5 analyzes the application package and metadata using one or more rules. Rules may be specified by administrative users using conditional logic, such as a “if this then that” format via an interface, such as a web interface.
  • Analyzer modules 206 receive samples of known malicious applications to identify patterns that are unique to these types of applications. Heuristic analyzer 206 - 6 then compares incoming applications with these patterns to identify any meaningful similarities that would identify an incoming application that is suspicious. A signature analyzer compares signatures of incoming applications with these patterns to identify any meaningful similarities.
  • Particular embodiments may include other types of analyzer modules 206 for analyzing different security aspects of the applications.
  • the set of analyzer modules 206 is managed by an analyzer framework.
  • a profiler gets information from application package file.
  • a cross scan analyzer 206 - 1 scans applications by other vendors to get reference.
  • a malware variant scanner (not shown) detects variants of malware.
  • a certificate analyzer (not shown) analyzes cryptographic certificates associated with the application and may include a blacklist and a whitelist for certificates.
  • a root exploit analyzer 206 - 7 determines if an application performs any actions to circumvent operating system privileges, such as gaining root privilege.
  • a permission analyzer 206 - 8 is used to analyze the operating system permissions given to the application.
  • a dynamic analyzer 206 - 3 analyzes the dynamic resource use of the application, such as processor, memory, battery, data storage, network traffic, and other system resource usage of an application. Dynamic analyzer 206 - 3 also analyzes communication of any private information to a 3 rd party server or if the application performs any malicious actions at runtime. In an embodiment, dynamic analyzer 206 - 3 simulates real usage of the application. Static analyzer 206 - 2 is used to analyze the actions that the application attempts to perform.
  • a digital signature or hash of the application is created to identify other instances of that application. This digital signature is provided to the signature based signature scan engine 206 - 4 for use in scanning for applications with the same signature.
  • security ratings manager 204 assigns a security rating to each application 108 and may store the security rating in an application database 210 .
  • the various security ratings include certified, malicious, high-risk, faked/cloned, and low-risk/noisy ratings and how mobile devices 104 uniquely use applications 108 in a mobile environment.
  • the certified security rating is for secured and approved applications 108 from trusted providers that are determined to pose no threat to mobile devices 104 .
  • the malicious security rating is for applications 108 that may intentionally harm mobile device 104 or any computing device coupled to mobile device 104 . This may include Trojan horses, viruses, and spyware. Further, certain behaviors that are unique to mobile devices 104 may be exhibited by malicious applications, such as sending short message service (SMS) messages without user's consent and in some cases sending premium-rate SMS messages; downloading and installing other applications without a user's consent; and compromising a user's privacy information, such as a user's contacts, global positioning satellite (GPS) location, call histories, SMS messages, and other personal information for the user.
  • SMS short message service
  • GPS global positioning satellite
  • a high-risk security rating means that applications 108 may be potentially dangerous.
  • these applications 108 may perform certain mobile device behaviors that include leaking personal identifiable information, such as a phone number, in plain text; performing actions that lead to unexpected charges on a user's telephone bill; modifying the operating system of mobile device 104 ; monitoring mobile device 104 or tracking the position of mobile device 104 ; or downloading other applications without confirmation.
  • These applications 108 may also contain possible security vulnerabilities, such as hacking tools.
  • the faked/cloned security rating is for applications that have been copied from certified applications.
  • a company may copy a certified application and try to pass it off as the certified copy.
  • the cloned copy may not function in the same way as the certified copy or may include malicious software.
  • the low-risk/noisy security rating includes applications that perform behaviors related to use of mobile devices 104 .
  • the behaviors include frequently pushing advertisements to a user, such as to a notification bar or through pop-up windows, aggressively displaying advertisements on a home screen even if the application is running in the background or closed; aggressively promoting other applications by prompting a user to download the applications; leaking a device identifier, such as an IMEI or IMSI, in plain text.
  • these behaviors may not be a security risk as in these behaviors do not perform malicious actions to mobile device 104 . However, these actions may create noise to a user, such as distracting them with advertisements.
  • a communication manager 212 may communicate the security rating to mobile devices 104 that include applications 108 that have been rated. Additionally, communication manager 212 may communicate the security rating to application marketplaces 106 . The marketplaces may display the security rating in the marketplace to allow users to determine whether they want to download applications 108 .
  • FIG. 3 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 according to one embodiment.
  • the potential harmful behavior of applications 108 and grading of the security risks are determined without actually executing applications 108 on mobile devices 104 .
  • Particular embodiments define a set of behaviors that will affect the security of mobile device 104 .
  • these behaviors may include behaviors that are associated with operating a mobile device, such as initiating a phone call, sending an SMS message, tracking the location of mobile device 104 , accessing the contacts and sending contact information, accessing mobile device information, accessing the camera/video and initiating the camera or video recorder, accessing SMS content, and accessing a call log.
  • a different security rating may be applied to each behavior and/or application 108 .
  • An application analyzer 302 receives an application package.
  • the application package may include an application executable and/or application metadata.
  • Application analyzer 302 analyzes the application package to determine a permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed.
  • the operating system defines or provides a list of APIs that applications can use to trigger certain actions or access certain data. Each permission is associated to a set of APIs.
  • an application needs to claim proper permissions that are associated to the APIs the application wants to invoke.
  • the combination of same set of APIs can generate various kinds of behaviors and thus consequences from the behaviors on the mobile device, which can be secure to the user as well as harmful to the user.
  • Static analyzer 206 - 2 extracts all the permissions from an application that the application claims to use and check that the application has claimed more permissions than it needs for normal or secure behavior.
  • Dynamic analyzer 206 - 3 goes one step further by analyzing how the APIs associated with the permissions that an application has declared to use are used inside the code of the application and thus determines the kind of runtime behaviors that are triggered to determine whether any of runtime behaviors are harmful to the mobile device and/or users.
  • Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
  • PC is a permission and CPL is a permission list
  • BL is the set of possible behaviors
  • PBL is a potential behavior list.
  • a category analyzer 304 collects category information for an application 108 from various application marketplaces 106 .
  • different marketplaces 106 may be offering an instance of application 108 .
  • different marketplaces 106 may categorize the same application 108 in different categories.
  • one application marketplace 106 may categorize application 108 in a general “games” category and another application marketplace 106 may categorize application 108 in a “race car game” category.
  • Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
  • category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106 .
  • the default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
  • mapping table # 2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category.
  • An example of mapping table # 2 may be:
  • Application description analyzer 306 includes a third mapping table # 3 (MT 3 ) that maps keywords to required behaviors.
  • An example of mapping table # 3 may be:
  • Keyword Behavior phone call Call phone video call Call phone dialer/Call phone
  • various keywords are mapped to behaviors, such as a keyword of phone call is mapped to a behavior of making a phone call.
  • application description analyzer 306 may extract keywords from the functional description and/or application name.
  • the keywords may be information that describes application 108 , such as an e-mail messaging application, a game, etc.
  • Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table # 3 .
  • a required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306 . Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
  • the above algorithm determines a first behavior list (RBL) based on the output of mapping table # 2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL 2 is determined by applying the keywords to a mapping table # 3 . The second required behavior list BL 2 is then added into the required behavior list RBL.
  • a behavior comparison manager 310 receives the required behavior list in addition to the potential behavior list. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates an abused behavior list (ABL). The following algorithm may be used:
  • security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the abused behavior list. For example, security ratings determiner 312 may review each behavior and assign a security rating. That is, each behavior may be given one of the security ratings.
  • security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of behaviors that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108 . Also, the number of behaviors may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108 . In other cases, if one behavior is included in a certain security rating, such as malicious, then that security rating is assigned to application 108 . For example, if an application exhibits just one malicious behavior, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious behavior.
  • Particular embodiments may also be used for an AndroidTM application.
  • a list of Android permissions may be mapped into a security rating.
  • FIG. 4 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 for a list of Android permissions according to one embodiment.
  • An application analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata. Application analyzer 302 analyzes the application package to determine an Android permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed in Android. Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
  • Application analyzer 302 maps each permission to a security rating (SR(P)) using a first mapping table # 1 (MT 1 ).
  • a category analyzer 304 collects category information for an application 108 from various application marketplaces 106 .
  • different marketplaces 106 may be offering an instance of application 108 .
  • different marketplaces 106 may categorize the same application 108 in different categories.
  • one application marketplace 106 may categorize application 108 in a general games category and another application marketplace 106 may categorize application 108 in a race car game category.
  • Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
  • category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106 .
  • the default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
  • mapping table # 2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category
  • An application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality.
  • a crawler may crawl through various application marketplaces 106 to determine the application name and description from each application marketplace 106 .
  • different marketplaces may have a different description of an instance of application 108 .
  • different applications may have different names in different marketplaces, but may be the same application.
  • Application description analyzer 306 includes a third mapping table # 3 (MT 3 ) that maps keywords to required behaviors.
  • application description analyzer 306 may extract keywords from the functional description and/or application name.
  • the keywords may be information that describes application 108 , such as an e-mail messaging application, a game, etc.
  • Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table # 3 .
  • a required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306 . Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
  • the above algorithm determines a first behavior list (RBL) based on the output of mapping table # 2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL 2 is determined by applying the keywords to a mapping table # 3 . The second required behavior list BL 2 is then added into the required behavior list RBL.
  • a behavior comparison manager 310 receives the required behavior list in addition to the potential behavior lists. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates a violated permission list (VPL).
  • VPL violated permission list
  • security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the violated permission list. For example, security ratings determiner 312 may review each permission and assign a security rating. For example, each permission may be given one of the security ratings.
  • security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of permissions that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108 . Also, the number of permissions may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108 . In other cases, if one permission is included in a certain security rating, such as malicious, then that security rating is assigned to application 108 . For example, if an application exhibits just one malicious permission, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious permission.
  • FIG. 5 depicts a simplified flowchart 500 of a method for determining security ratings according to one embodiment.
  • risk assessment manager 112 determines a permission list from an application 108 .
  • the permission list may be determined from an application package.
  • risk assessment manager 112 generates a set of potential behaviors from the permission list.
  • the set of potential behaviors are associated with actions that the application allows when executing on a mobile device.
  • risk assessment manager 112 determines the set of potential behaviors without execution of the application.
  • risk assessment manager 112 determines functional category information regarding a functional category from a set of application marketplaces 106 that contain the application.
  • the functional category information may be different for different marketplaces 106 and a default category may be determined.
  • risk assessment manager 112 determines application description information for the application from the set of application marketplaces.
  • the application description information may be keywords from a synopsis of the application.
  • risk assessment manager 112 generates a required behavior list including a set of required behaviors from the functional category information and the application description information. Risk assessment manager 112 may use mapping tables to generate the required behavior list.
  • risk assessment manager 112 compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors.
  • the security related behaviors may be abused behaviors or abused permissions as described above.
  • the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors.
  • risk assessment manager 112 determines a security rating based on the set of abused behaviors.
  • FIG. 6 illustrates an example of a special purpose computer system 600 configured with a security ratings system according to one embodiment.
  • Computer system 600 includes a bus 602 , network interface 604 , a computer processor 606 , a memory 608 , a storage device 610 , and a display 612 .
  • Bus 602 may be a communication mechanism for communicating information.
  • Computer processor 604 may execute computer programs stored in memory 608 or storage device 608 . Any suitable programming language can be used to implement the routines of particular embodiments including C, C++, Java, assembly language, etc. Different programming techniques can be employed such as procedural or object oriented. The routines can execute on a single computer system 600 or multiple computer systems 600 . Further, multiple processors 606 may be used.
  • Memory 608 may store instructions, such as source code or binary code, for performing the techniques described above. Memory 608 may also be used for storing variables or other intermediate information during execution of instructions to be executed by processor 606 . Examples of memory 608 include random access memory (RAM), read only memory (ROM), or both.
  • RAM random access memory
  • ROM read only memory
  • Storage device 610 may also store instructions, such as source code or binary code, for performing the techniques described above. Storage device 610 may additionally store data used and manipulated by computer processor 606 .
  • storage device 610 may be a database that is accessed by computer system 600 .
  • Other examples of storage device 610 include random access memory (RAM), read only memory (ROM), a hard drive, a magnetic disk, an optical disk, a CD-ROM, a DVD, a flash memory, a USB memory card, or any other medium from which a computer can read.
  • Memory 608 or storage device 610 may be an example of a non-transitory computer-readable storage medium for use by or in connection with computer system 600 .
  • the computer-readable storage medium contains instructions for controlling a computer system to be operable to perform functions described by particular embodiments.
  • the instructions when executed by one or more computer processors, may be operable to perform that which is described in particular embodiments.
  • Computer system 600 includes a display 612 for displaying information to a computer user.
  • Display 612 may display a user interface used by a user to interact with computer system 600 .
  • Computer system 600 also includes a network interface 604 to provide data communication connection over a network, such as a local area network (LAN) or wide area network (WAN). Wireless networks may also be used.
  • network interface 604 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information.
  • Computer system 600 can send and receive information through network interface 604 across a network 614 , which may be an Intranet or the Internet.
  • Computer system 600 may interact with other computer systems 600 through network 614 .
  • client-server communications occur through network 614 .
  • implementations of particular embodiments may be distributed across computer systems 600 through network 614 .

Abstract

In one embodiment, a method determines a permission list from an application and generates a set of potential behaviors. The potential behaviors are associated with actions that the application allows when executing on a mobile device where the potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the required behaviors to the potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the potential behaviors, but not in the required behaviors. A security rating is determined based on the set of security related behaviors.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present disclosure claims priority to U.S. Provisional App. No. 61/582,910, entitled “Secure Application Distribution Platform”, filed Jan. 4, 2012, the contents of which is incorporated herein by reference in its entirety.
  • The present disclosure is related to U.S. patent application Ser. No. ______, entitled “APPLICATION RECOMMENDATION SYSTEM,”, and U.S. patent application Ser. No. ______, entitled “APPLICATION CERTIFICATION AND SEARCH SYSTEM”, and filed concurrently, the contents of which are incorporated herein by reference in their entirety.
    • BACKGROUND
  • As mobile electronic devices, such as smartphones, tablet computers, and smart televisions, are more commonly used, providing security on these devices becomes more important. For example, with the advent of “smart” devices, the mobile electronic devices allow users to download applications from application marketplaces. Some application marketplaces screen the applications that are offered. However, the screening process may not always perform comprehensive tests on the applications for security risks. Further, some application marketplaces are not regulated and allow any companies to place applications in the marketplace for download. This may increase the risk that some of these applications may include security risks because applications are not pre-screened.
  • One way a user can decide whether to download an application is to look at user reviews of the applications. However, most often, the user reviews do not mention if any of the applications include a security risk or the application may become compromised after the user reviews were submitted. Thus, after downloading the application, the application may compromise the security of the mobile electronic device and possibly the data stored by the mobile electronic device. Even worse, the applications may also compromise the security of private enterprise networks if the networks are accessed from a compromised mobile electronic device.
    • SUMMARY
  • In one embodiment, a method determines a permission list from an application and generates a set of potential behaviors from the permission list. The set of potential behaviors is associated with actions that the application allows when executing on a mobile device where the set of potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application from the set of application marketplaces. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors. A security rating is determined based on the set of security related behaviors.
  • In one embodiment, a non-transitory computer-readable storage medium is provided containing instructions, that when executed, control a computer system to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
  • In one embodiment, an apparatus is provided comprising: one or more computer processors; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
  • The following detailed description and accompanying drawings provide a better understanding of the nature and advantages of particular embodiments.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 depicts a simplified system for providing security according to one embodiment.
  • FIG. 2 depicts a more detailed example of risk assessment manager according to one embodiment.
  • FIG. 3 depicts a more detailed example of an analyzer manager and a security ratings manager according to one embodiment.
  • FIG. 4 depicts a more detailed example of the analyzer manager and the security ratings manager for a list of Android permissions according to one embodiment.
  • FIG. 5 depicts a simplified flowchart of a method for determining security ratings according to one embodiment.
  • FIG. 6 illustrates an example of a special purpose computer system configured with a security ratings system according to one embodiment.
    •  DETAILED DESCRIPTION
  • Described herein are techniques for a security ratings system. In the following description, for purposes of explanation, numerous examples and specific details are set forth in order to provide a thorough understanding of particular embodiments. Particular embodiments as defined by the claims may include some or all of the features in these examples alone or in combination with other features described below, and may further include modifications and equivalents of the features and concepts described herein.
  • Particular embodiments provide a security ratings system for applications offered by application marketplaces. The security ratings may be tailored to how the applications operate and are used on mobile devices. A user may then review the security ratings and decide whether to download an application. Further, the security ratings may be sent to a user to warn the user of a possible security threat for an application currently residing on the user's mobile device.
    • System Overview
  • FIG. 1 depicts a simplified system 100 for providing security according to one embodiment. System 100 includes a back-end security system 102 that may interact with mobile devices 104. In one embodiment, back-end security system 102 provides security services to mobile devices 104, which download applications (apps) 108 from application marketplaces 106.
  • Mobile devices 104 may be computing devices that can download applications 108, such as smartphones, tablet computers, smart televisions, laptop computers, and personal computers. Mobile devices 104 include a front-end security system 110 that may analyze applications 108 for security risks on mobile device 104. Front-end security system 110 evaluates applications 108 on mobile device 104 according to multiple independent aspects of security. In some examples, front-end security system 110 may interact with back-end security system 102 to send results of analysis of applications 108 on mobile device 104. For example, front-end security system 110 may analyze the use of applications 108, scan mobile device 104 for security risks, and then send information related to the analysis to back-end security system 102.
  • In one embodiment, back-end security system 102 includes a risk assessment manager 112, an application recommendation manager 114, and an application certification manager 116. Risk assessment manager 112 may assess the risk of applications 108 and provide a security rating based on the assessment. In one embodiment, the security rating may be tailored to how applications 108 are used on mobile devices 104. For example, the security ratings may include certified, malicious, high-risk, and low-risk/noisy ratings. These security ratings will be described in more detail below.
  • Application recommendation manager 114 may recommend new applications to users. In one embodiment, application recommendation manager 114 may communicate with front-end security system 110 to determine the new application recommendations. For example, application recommendation manager 114 may use user preferences and user behaviors that are determined based on actions performed on mobile device 104 in addition to information from similar users, such as a user's friends in a social network, to determine the application recommendations. In one embodiment, application recommendation manager 114 may provide the application recommendations based on communication with front-end security system 110. In other embodiments, front-end security system 110 may determine the application recommendations without communication with back-end security system 102.
  • Application certification manager 116 provides certification that an instance of an application 108 in a marketplace 106 is an authentic copy. For example, an instance of an application 108 may be found in multiple application marketplaces 106. However, specific instances of the application may not be certified copies. That is, other companies may copy an application 108 and/or modify an application 108. Application certification manager 116 scans applications 108 in application marketplaces 106, and can determine whether applications 108 are a certified copy. Thus, when a user wants to download an application 108 from a specific application marketplace 106, the user can review the application certification to determine whether to download the application. Additionally, the application certification may indicate to users, organizations, enterprises, application stores, device providers, networks, and/or any other interested party, that the application has adequate security. The security certification may be unique to each certified application so that users can validate its authenticity.
    • Security Ratings
  • FIG. 2 depicts a more detailed example of risk assessment manager 112 according to one embodiment. An analyzer manager 202 may analyze applications 108 to provide information to a security ratings manager 204, which uses the information to determine security ratings for applications 108. In one embodiment, the security rating is determined without analyzing information from mobile devices 104. That is, how the application operates on mobile devices 104 is not analyzed to provide the security rating. This has a benefit in that malicious software may be determined before being downloaded onto mobile devices 104 where the applications could be harmful.
  • Analyzer manager 202 may receive application packages, which may include application executable program files and associated data resources, and application metadata, such as an application name, a description, an author, a price, a download count, a review score, reviews by users, comments, a category of the application, version, an operating system (OS), icons, thumbnails, a release date, and update dates. Analyzer manager 202 may then analyze the application package and provide information regarding the application to security ratings manager 204. The analysis that is performed is described in more detail below.
  • In one embodiment, analyzer manager 202 includes different automatic analyzer modules 206, such as a cross-scanner 206-1, a static analyzer 206-2, a dynamic analyzer 206-3, a signature scan engine 206-4, a research formula analyzer 206-5, a heuristic analyzer 206-6, a root exploit analyzer 206-7, and a permission analyzer 206-8. In some cases, information from all of these analyzers is used, but only a portion of the analyzers may be used in other cases to determine security ratings.
  • Analyzer modules 206, such as a research formula analyzer 206-5 and heuristic analyzer 206-6, access the application package and application metadata from the application database. Research formula analyzer 206-5 analyzes the application package and metadata using one or more rules. Rules may be specified by administrative users using conditional logic, such as a “if this then that” format via an interface, such as a web interface. Analyzer modules 206 receive samples of known malicious applications to identify patterns that are unique to these types of applications. Heuristic analyzer 206-6 then compares incoming applications with these patterns to identify any meaningful similarities that would identify an incoming application that is suspicious. A signature analyzer compares signatures of incoming applications with these patterns to identify any meaningful similarities.
  • Particular embodiments may include other types of analyzer modules 206 for analyzing different security aspects of the applications. In an embodiment, the set of analyzer modules 206 is managed by an analyzer framework. A profiler gets information from application package file. A cross scan analyzer 206-1 scans applications by other vendors to get reference. A malware variant scanner (not shown) detects variants of malware. A certificate analyzer (not shown) analyzes cryptographic certificates associated with the application and may include a blacklist and a whitelist for certificates. A root exploit analyzer 206-7 determines if an application performs any actions to circumvent operating system privileges, such as gaining root privilege. A permission analyzer 206-8 is used to analyze the operating system permissions given to the application. A dynamic analyzer 206-3 analyzes the dynamic resource use of the application, such as processor, memory, battery, data storage, network traffic, and other system resource usage of an application. Dynamic analyzer 206-3 also analyzes communication of any private information to a 3rd party server or if the application performs any malicious actions at runtime. In an embodiment, dynamic analyzer 206-3 simulates real usage of the application. Static analyzer 206-2 is used to analyze the actions that the application attempts to perform.
  • In addition to automatic analysis, a manual analysis manager 208 may be used. For example, based on the automatic analysis, analyzer manager 202 may send certain applications 108 to manual analysis manager 208. A security analyst may then manually analyze applications 108. For example, the manual analysis may rate the security risk of application 108 or may confirm or deny the automatic security risk information determined by analyzer manager 202. Once the security analyst review is performed, manual analysis manager 208 may send the security analyst review back to analyzer manager 202, which can take into account the security analyst review in its automatic analysis.
  • If the suspicious application is determined to compromise one or more aspects of security, a digital signature or hash of the application is created to identify other instances of that application. This digital signature is provided to the signature based signature scan engine 206-4 for use in scanning for applications with the same signature.
  • Depending on the analysis, security ratings manager 204 assigns a security rating to each application 108 and may store the security rating in an application database 210. The various security ratings include certified, malicious, high-risk, faked/cloned, and low-risk/noisy ratings and how mobile devices 104 uniquely use applications 108 in a mobile environment.
  • In one embodiment, the certified security rating is for secured and approved applications 108 from trusted providers that are determined to pose no threat to mobile devices 104. The malicious security rating is for applications 108 that may intentionally harm mobile device 104 or any computing device coupled to mobile device 104. This may include Trojan horses, viruses, and spyware. Further, certain behaviors that are unique to mobile devices 104 may be exhibited by malicious applications, such as sending short message service (SMS) messages without user's consent and in some cases sending premium-rate SMS messages; downloading and installing other applications without a user's consent; and compromising a user's privacy information, such as a user's contacts, global positioning satellite (GPS) location, call histories, SMS messages, and other personal information for the user.
  • A high-risk security rating means that applications 108 may be potentially dangerous. For example, these applications 108 may perform certain mobile device behaviors that include leaking personal identifiable information, such as a phone number, in plain text; performing actions that lead to unexpected charges on a user's telephone bill; modifying the operating system of mobile device 104; monitoring mobile device 104 or tracking the position of mobile device 104; or downloading other applications without confirmation. These applications 108 may also contain possible security vulnerabilities, such as hacking tools.
  • The faked/cloned security rating is for applications that have been copied from certified applications. For example, a company may copy a certified application and try to pass it off as the certified copy. However, the cloned copy may not function in the same way as the certified copy or may include malicious software.
  • The low-risk/noisy security rating includes applications that perform behaviors related to use of mobile devices 104. The behaviors include frequently pushing advertisements to a user, such as to a notification bar or through pop-up windows, aggressively displaying advertisements on a home screen even if the application is running in the background or closed; aggressively promoting other applications by prompting a user to download the applications; leaking a device identifier, such as an IMEI or IMSI, in plain text. It should be noted that these behaviors may not be a security risk as in these behaviors do not perform malicious actions to mobile device 104. However, these actions may create noise to a user, such as distracting them with advertisements.
  • Once the security ratings are stored in storage 210, a communication manager 212 may communicate the security rating to mobile devices 104 that include applications 108 that have been rated. Additionally, communication manager 212 may communicate the security rating to application marketplaces 106. The marketplaces may display the security rating in the marketplace to allow users to determine whether they want to download applications 108.
  • FIG. 3 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 according to one embodiment. In one embodiment, the potential harmful behavior of applications 108 and grading of the security risks are determined without actually executing applications 108 on mobile devices 104. Particular embodiments define a set of behaviors that will affect the security of mobile device 104. For example, these behaviors may include behaviors that are associated with operating a mobile device, such as initiating a phone call, sending an SMS message, tracking the location of mobile device 104, accessing the contacts and sending contact information, accessing mobile device information, accessing the camera/video and initiating the camera or video recorder, accessing SMS content, and accessing a call log. Based on which behaviors are determined that an application 108 can perform, a different security rating may be applied to each behavior and/or application 108.
  • An application analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata. Application analyzer 302 analyzes the application package to determine a permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed. The operating system defines or provides a list of APIs that applications can use to trigger certain actions or access certain data. Each permission is associated to a set of APIs. To access the APIs, an application needs to claim proper permissions that are associated to the APIs the application wants to invoke. However, the combination of same set of APIs can generate various kinds of behaviors and thus consequences from the behaviors on the mobile device, which can be secure to the user as well as harmful to the user. Static analyzer 206-2 extracts all the permissions from an application that the application claims to use and check that the application has claimed more permissions than it needs for normal or secure behavior. Dynamic analyzer 206-3 goes one step further by analyzing how the APIs associated with the permissions that an application has declared to use are used inside the code of the application and thus determines the kind of runtime behaviors that are triggered to determine whether any of runtime behaviors are harmful to the mobile device and/or users. Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
  • Application analyzer 302 uses the permission list to generate a set of potential behaviors for application 108. In one embodiment, a first mapping table (MT1) is used to determine the potential behaviors. For example, mapping table #1 may map different permissions to different potential behaviors. For each permission in the permission list, a list of potential behaviors is determined. The following may be used to determine the set of potential behaviors:
  •
    For each permission combination PC in MT1:
    if PC in CPL
    BL = MT1(PC);
    Add BL into PBL,

    where PC is a permission and CPL is a permission list, BL is the set of possible behaviors, and PBL is a potential behavior list. The above determines the list of behaviors by applying the permissions to mapping table #1 and then adds the behaviors determined as potential behaviors in the PBL. An example of mapping table #1 may be:
  • Permission Behavior
    READ_CONTACT Get contact list
    Get call history

    In the above, if the permission of “READ_CONTACT” is determined, then the behaviors of accessing the contact list and accessing the call history are added. The potential behaviors in the PBL for all permissions will be used later in the process described below.
  • A category analyzer 304 collects category information for an application 108 from various application marketplaces 106. For example, different marketplaces 106 may be offering an instance of application 108. However, different marketplaces 106 may categorize the same application 108 in different categories. For example, one application marketplace 106 may categorize application 108 in a general “games” category and another application marketplace 106 may categorize application 108 in a “race car game” category. Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
  • In one embodiment, category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106. The default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
  • Category analyzer 304 then uses a second mapping table #2 (MT2) that maps categories to required behaviors. For example, mapping table #2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category. An example of mapping table #2 may be:
  • Category Behavior
    Social Network Get contact list
    Access Internet

    In the above, if the category of “Social Network” is determined, then the behavior of accessing the contact list and the Internet is determined.
  • An application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality. In one example, a crawler may crawl through various application marketplaces 106 to determine the application name and description from each application marketplace 106. For example, different marketplaces may have a different description of an instance of application 108. Further, different applications may have different names in different marketplaces, but may be the same application.
  • Application description analyzer 306 includes a third mapping table #3 (MT3) that maps keywords to required behaviors. An example of mapping table #3 may be:
  • Keyword Behavior
    phone call Call phone
    video call Call phone dialer/Call phone

    In the above, various keywords are mapped to behaviors, such as a keyword of phone call is mapped to a behavior of making a phone call. For example, application description analyzer 306 may extract keywords from the functional description and/or application name. The keywords may be information that describes application 108, such as an e-mail messaging application, a game, etc. Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table #3.
  • A required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306. Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
  •
    BL1 = MT2(DC);
    Add BL1 into RBL;
    For each keywords K in TF
    BL2 = MT3(DC, K);
    Add BL2 into RBL,

    where BL1 is a first set of required behaviors from category analyzer 304, DC is a default category, RBL is a required behavior list, BL2 is a second list of required behaviors from description analyzer 306, and K is a constant. The above algorithm determines a first behavior list (RBL) based on the output of mapping table #2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL2 is determined by applying the keywords to a mapping table #3. The second required behavior list BL2 is then added into the required behavior list RBL.
  • A behavior comparison manager 310 receives the required behavior list in addition to the potential behavior list. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates an abused behavior list (ABL). The following algorithm may be used:
  •
    For each behavior B in PBL
    if it not in RBL
    Add B into ABL;

    If the abused behavior list is an empty set, i.e., no behaviors were added into the abused behavior list, security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the abused behavior list. For example, security ratings determiner 312 may review each behavior and assign a security rating. That is, each behavior may be given one of the security ratings.
  • Once each behavior has been rated, then security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of behaviors that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108. Also, the number of behaviors may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108. In other cases, if one behavior is included in a certain security rating, such as malicious, then that security rating is assigned to application 108. For example, if an application exhibits just one malicious behavior, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious behavior.
  • Particular embodiments may also be used for an Android™ application. In this case, a list of Android permissions may be mapped into a security rating.
  • FIG. 4 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 for a list of Android permissions according to one embodiment. An application analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata. Application analyzer 302 analyzes the application package to determine an Android permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed in Android. Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
  • Application analyzer 302 maps each permission to a security rating (SR(P)) using a first mapping table #1 (MT1).
  • A category analyzer 304 collects category information for an application 108 from various application marketplaces 106. For example, different marketplaces 106 may be offering an instance of application 108. However, different marketplaces 106 may categorize the same application 108 in different categories. For example, one application marketplace 106 may categorize application 108 in a general games category and another application marketplace 106 may categorize application 108 in a race car game category. Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
  • In one embodiment, category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106. The default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
  • Category analyzer 304 then uses a second mapping table #2 (MT2) that maps categories to required behaviors. For example, mapping table #2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category
  • An application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality. In one example, a crawler may crawl through various application marketplaces 106 to determine the application name and description from each application marketplace 106. For example, different marketplaces may have a different description of an instance of application 108. Further, different applications may have different names in different marketplaces, but may be the same application.
  • Application description analyzer 306 includes a third mapping table #3 (MT3) that maps keywords to required behaviors. For example, application description analyzer 306 may extract keywords from the functional description and/or application name. The keywords may be information that describes application 108, such as an e-mail messaging application, a game, etc. Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table #3.
  • A required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306. Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
  •
    BL1 = MT2(DC);
    Add BL1 into RBL;
    For each keywords K in TF
    BL2 = MT3(DC, K);
    Add BL2 into RBL,

    where BL1 is a first set of required behaviors from category analyzer 304, DC is a default category, RBL is a required behavior list, BL2 is a second list of required behaviors from description analyzer 306, and K is a constant. The above algorithm determines a first behavior list (RBL) based on the output of mapping table #2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL2 is determined by applying the keywords to a mapping table #3. The second required behavior list BL2 is then added into the required behavior list RBL.
  • A behavior comparison manager 310 receives the required behavior list in addition to the potential behavior lists. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates a violated permission list (VPL). The following algorithm may be used:
  •
    For each behavior B in PBL
    if it not in RBL
    Add B into VPL;

    If the violated permission list is an empty set, i.e., no permissions were added into the violated permission list, security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the violated permission list. For example, security ratings determiner 312 may review each permission and assign a security rating. For example, each permission may be given one of the security ratings.
  • Once each permission has been rated, then security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of permissions that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108. Also, the number of permissions may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108. In other cases, if one permission is included in a certain security rating, such as malicious, then that security rating is assigned to application 108. For example, if an application exhibits just one malicious permission, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious permission.
  • FIG. 5 depicts a simplified flowchart 500 of a method for determining security ratings according to one embodiment. At 502, risk assessment manager 112 determines a permission list from an application 108. The permission list may be determined from an application package.
  • At 504, risk assessment manager 112 generates a set of potential behaviors from the permission list. The set of potential behaviors are associated with actions that the application allows when executing on a mobile device. In one embodiment, risk assessment manager 112 determines the set of potential behaviors without execution of the application.
  • At 506, risk assessment manager 112 determines functional category information regarding a functional category from a set of application marketplaces 106 that contain the application. The functional category information may be different for different marketplaces 106 and a default category may be determined.
  • At 508, risk assessment manager 112 determines application description information for the application from the set of application marketplaces. The application description information may be keywords from a synopsis of the application.
  • At 510, risk assessment manager 112 generates a required behavior list including a set of required behaviors from the functional category information and the application description information. Risk assessment manager 112 may use mapping tables to generate the required behavior list.
  • At 512, risk assessment manager 112 compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors. The security related behaviors may be abused behaviors or abused permissions as described above. In one embodiment, the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors. At 514, risk assessment manager 112 determines a security rating based on the set of abused behaviors.
  • FIG. 6 illustrates an example of a special purpose computer system 600 configured with a security ratings system according to one embodiment. Computer system 600 includes a bus 602, network interface 604, a computer processor 606, a memory 608, a storage device 610, and a display 612.
  • Bus 602 may be a communication mechanism for communicating information. Computer processor 604 may execute computer programs stored in memory 608 or storage device 608. Any suitable programming language can be used to implement the routines of particular embodiments including C, C++, Java, assembly language, etc. Different programming techniques can be employed such as procedural or object oriented. The routines can execute on a single computer system 600 or multiple computer systems 600. Further, multiple processors 606 may be used.
  • Memory 608 may store instructions, such as source code or binary code, for performing the techniques described above. Memory 608 may also be used for storing variables or other intermediate information during execution of instructions to be executed by processor 606. Examples of memory 608 include random access memory (RAM), read only memory (ROM), or both.
  • Storage device 610 may also store instructions, such as source code or binary code, for performing the techniques described above. Storage device 610 may additionally store data used and manipulated by computer processor 606. For example, storage device 610 may be a database that is accessed by computer system 600. Other examples of storage device 610 include random access memory (RAM), read only memory (ROM), a hard drive, a magnetic disk, an optical disk, a CD-ROM, a DVD, a flash memory, a USB memory card, or any other medium from which a computer can read.
  • Memory 608 or storage device 610 may be an example of a non-transitory computer-readable storage medium for use by or in connection with computer system 600. The computer-readable storage medium contains instructions for controlling a computer system to be operable to perform functions described by particular embodiments. The instructions, when executed by one or more computer processors, may be operable to perform that which is described in particular embodiments.
  • Computer system 600 includes a display 612 for displaying information to a computer user. Display 612 may display a user interface used by a user to interact with computer system 600.
  • Computer system 600 also includes a network interface 604 to provide data communication connection over a network, such as a local area network (LAN) or wide area network (WAN). Wireless networks may also be used. In any such implementation, network interface 604 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information.
  • Computer system 600 can send and receive information through network interface 604 across a network 614, which may be an Intranet or the Internet. Computer system 600 may interact with other computer systems 600 through network 614. In some examples, client-server communications occur through network 614. Also, implementations of particular embodiments may be distributed across computer systems 600 through network 614.
  • As used in the description herein and throughout the claims that follow, “a”, “an”, and “the” includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
  • The above description illustrates various embodiments along with examples of how aspects of particular embodiments may be implemented. The above examples and embodiments should not be deemed to be the only embodiments, and are presented to illustrate the flexibility and advantages of particular embodiments as defined by the following claims. Based on the above disclosure and the following claims, other arrangements, embodiments, implementations and equivalents may be employed without departing from the scope hereof as defined by the claims.
  • The above description illustrates various embodiments along with examples of how aspects of particular embodiments may be implemented. The above examples and embodiments should not be deemed to be the only embodiments, and are presented to illustrate the flexibility and advantages of particular embodiments as defined by the following claims. Based on the above disclosure and the following claims, other arrangements, embodiments, implementations and equivalents may be employed without departing from the scope hereof as defined by the claims.

Claims (20)

What is claimed is:
1. A method comprising:
determining, by a computing system, a permission list from an application;
generating, by the computing system, a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application;
determining, by the computing system, functional category information regarding a functional category from a set of application marketplaces that contain the application;
determining, by the computing system, application description information for the application from the set of application marketplaces;
generating, by the computing system, a required behavior list including a set of required behaviors from the functional category information and the application description information;
comparing, by the computing system, the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and
determining, by the computing system, a security rating based on the set of security related behaviors.
2. The method of claim 1, wherein determining the permission list comprises:
reading an executable file for the application or application metadata for the application to determine the set of potential behaviors; and
generating the set of potential behaviors based on a mapping table that maps permissions determined from the executable file or the application metadata to potential behaviors.
3. The method of claim 1, wherein determining the functional category information comprises:
determining a set of functional categories from the set of application marketplaces, wherein at least two marketplaces categorize the application in a different functional category;
determining a category definition for at least one of the functional categories in at least one of the application marketplaces; and
selecting a default functional category based on the category definition, wherein the default functional category is used to determine the set of required behaviors.
4. The method of claim 3, wherein generating the required behavior list comprises inputting the default category into a mapping table to map the default category to set of required behaviors.
5. The method of claim 1, wherein generating the required behavior list comprises generating a first set of required behaviors based on a mapping table that maps a functional category to required behaviors.
6. The method of claim 5, wherein generating the required behavior list comprises generating a second set of required behaviors based on a mapping table that maps the application description to required behaviors.
7. The method of claim 1, wherein determining the application description information comprises determining a set of keywords that describe the application based on the application description information.
8. The method of claim 7, wherein generating the required behavior list comprises inputting the set of keywords into a mapping table to map the keywords to required behaviors in the set of required behaviors.
9. The method of claim 1, wherein the security rating is selected from certified, malicious, high risk, low/noisy ratings.
10. The method of claim 1, wherein the security rating is determining without executing the application on a computing device or information from executing the application on the computing device.
11. The method of claim 1, further comprising sending the security rating to a mobile device or an application marketplace.
12. The method of claim 1, wherein determining the security rating comprises:
determining a security rating for each security related behavior; and
determining the security rating for the application based on the security rating for each security related behavior.
13. The method of claim 12, further comprising comparing the security rating for each security related behavior to a set of thresholds to select one of the security ratings for a portion of the security related behaviors.
14. A non-transitory computer-readable storage medium containing instructions, that when executed, control a computer system to be configured for:
determining a permission list from an application;
generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application;
determining functional category information regarding a functional category from a set of application marketplaces that contain the application;
determining application description information for the application from the set of application marketplaces;
generating a required behavior list including a set of required behaviors from the functional category information and the application description information;
comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and
determining a security rating based on the set of security related behaviors.
15. The non-transitory computer-readable storage medium of claim 14, wherein determining the permission list comprises:
reading an executable file for the application or application metadata for the application to determine the set of potential behaviors; and
generating the set of potential behaviors based on a mapping table that maps permissions determined from the executable file or the application metadata to potential behaviors.
16. The non-transitory computer-readable storage medium of claim 14, wherein determining the functional category information comprises:
determining a set of functional categories from the set of application marketplaces, wherein at least two marketplaces categorize the application in a different functional category;
determining a category definition for at least one of the functional categories in at least one of the application marketplaces; and
selecting a default functional category based on the category definition, wherein the default functional category is used to determine the set of required behaviors.
17. The non-transitory computer-readable storage medium of claim 14, wherein generating the required behavior list comprises generating a first set of required behaviors based on a mapping table that maps a functional category to required behaviors.
18. The non-transitory computer-readable storage medium of claim 14, wherein determining the application description information comprises determining a set of keywords that describe the application based on the application description information.
19. The non-transitory computer-readable storage medium of claim 14, wherein the security rating is selected from certified, malicious, high risk, low/noisy ratings.
20. An apparatus comprising:
one or more computer processors; and
a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for:
determining a permission list from an application;
generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application;
determining functional category information regarding a functional category from a set of application marketplaces that contain the application;
determining application description information for the application from the set of application marketplaces;
generating a required behavior list including a set of required behaviors from the functional category information and the application description information;
comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and
determining a security rating based on the set of security related behaviors.
US13/734,467 2012-01-04 2013-01-04 Detecting application harmful behavior and grading application risks for mobile devices Active 2033-01-08 US9063964B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/734,467 US9063964B2 (en) 2012-01-04 2013-01-04 Detecting application harmful behavior and grading application risks for mobile devices

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201261582910P 2012-01-04 2012-01-04
US13/734,467 US9063964B2 (en) 2012-01-04 2013-01-04 Detecting application harmful behavior and grading application risks for mobile devices

Publications (2)

Publication Number Publication Date
US20130212684A1 true US20130212684A1 (en) 2013-08-15
US9063964B2 US9063964B2 (en) 2015-06-23

Family

ID=48780718

Family Applications (3)

Application Number Title Priority Date Filing Date
US13/734,453 Active 2033-04-09 US9020925B2 (en) 2012-01-04 2013-01-04 Application certification and search system
US13/734,550 Active US9213729B2 (en) 2012-01-04 2013-01-04 Application recommendation system
US13/734,467 Active 2033-01-08 US9063964B2 (en) 2012-01-04 2013-01-04 Detecting application harmful behavior and grading application risks for mobile devices

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US13/734,453 Active 2033-04-09 US9020925B2 (en) 2012-01-04 2013-01-04 Application certification and search system
US13/734,550 Active US9213729B2 (en) 2012-01-04 2013-01-04 Application recommendation system

Country Status (1)

Country Link
US (3) US9020925B2 (en)

Cited By (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140245448A1 (en) * 2013-02-27 2014-08-28 Electronics And Telecommunications Research Institute Apparatus and method for analyzing permission of application for mobile devices and detecting risk
US20140280098A1 (en) * 2013-03-15 2014-09-18 Quixey, Inc. Performing application search based on application gaminess
US8918387B1 (en) 2012-04-04 2014-12-23 Symantec Corporation Systems and methods for classifying applications configured for cloud-based platforms
US20150067830A1 (en) * 2013-08-28 2015-03-05 Amazon Technologies, Inc. Dynamic application security verification
CN104462971A (en) * 2014-12-17 2015-03-25 北京奇虎科技有限公司 Malicious application program recognition method and device according to application program declaration characteristics
EP2884784A1 (en) * 2013-12-11 2015-06-17 Alcatel Lucent Privacy ratings for applications of mobile terminals
US20150172146A1 (en) * 2012-06-05 2015-06-18 Lookout, Inc. Identifying manner of usage for software assets in applications on user devices
US9152694B1 (en) * 2013-06-17 2015-10-06 Appthority, Inc. Automated classification of applications for mobile devices
US9183383B1 (en) * 2014-12-05 2015-11-10 AO Kaspersky Lab System and method of limiting the operation of trusted applications in presence of suspicious programs
US20150332049A1 (en) * 2014-05-15 2015-11-19 Northwestern University System and method for determining description-to-permission fidelity in mobile applications
US9208215B2 (en) 2012-12-27 2015-12-08 Lookout, Inc. User classification based on data gathered from a computing device
US9223961B1 (en) * 2012-04-04 2015-12-29 Symantec Corporation Systems and methods for performing security analyses of applications configured for cloud-based platforms
US20160012221A1 (en) * 2013-03-05 2016-01-14 Telecom Italia S.P.A. Method For Measuring and Monitoring the Access Levels to Personal Data Generated by Resources of a User Device
US20160055336A1 (en) * 2013-03-28 2016-02-25 Mwstory Co., Ltd. System for preventing malicious intrusion based on smart device and method thereof
US20160110543A1 (en) * 2014-10-21 2016-04-21 Electronics And Telecommunications Research Institute Apparatus and method for detecting malicious application based on visualization similarity
US9323511B1 (en) * 2013-02-28 2016-04-26 Google Inc. Splitting application permissions on devices
WO2016108378A1 (en) * 2014-12-30 2016-07-07 Samsung Electronics Co., Ltd. Electronic system with risk presentation mechanism and method of operation thereof
US9589129B2 (en) 2012-06-05 2017-03-07 Lookout, Inc. Determining source of side-loaded software
US9596256B1 (en) * 2014-07-23 2017-03-14 Lookingglass Cyber Solutions, Inc. Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface
US9652617B1 (en) * 2013-06-25 2017-05-16 Amazon Technologies, Inc. Analyzing security of applications
US9665465B1 (en) * 2012-11-19 2017-05-30 Amazon Technologies, Inc. Automated determination of application permissions
US9762596B2 (en) 2011-05-24 2017-09-12 Palo Alto Networks, Inc. Heuristic botnet detection
US9762608B1 (en) * 2012-09-28 2017-09-12 Palo Alto Networks, Inc. Detecting malware
US9804869B1 (en) 2013-07-30 2017-10-31 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using dynamic patching
US9805193B1 (en) 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US20170372066A1 (en) * 2016-06-28 2017-12-28 International Business Machines Corporation Detecting harmful applications prior to installation on a user device
US20180039774A1 (en) * 2016-08-08 2018-02-08 International Business Machines Corporation Install-Time Security Analysis of Mobile Applications
US9921827B1 (en) 2013-06-25 2018-03-20 Amazon Technologies, Inc. Developing versions of applications based on application fingerprinting
US9942251B1 (en) * 2012-09-28 2018-04-10 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US9990481B2 (en) 2012-07-23 2018-06-05 Amazon Technologies, Inc. Behavior-based identity system
US10019575B1 (en) 2013-07-30 2018-07-10 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US10037548B2 (en) 2013-06-25 2018-07-31 Amazon Technologies, Inc. Application recommendations based on application and lifestyle fingerprinting
US10114944B1 (en) * 2015-11-12 2018-10-30 Symantec Corporation Systems and methods for classifying permissions on mobile devices
US10114950B2 (en) 2012-10-19 2018-10-30 McAFEE, LLC. Mobile application management
US10152597B1 (en) 2014-12-18 2018-12-11 Palo Alto Networks, Inc. Deduplicating malware
US10204221B2 (en) 2014-07-14 2019-02-12 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
CN109445874A (en) * 2018-11-15 2019-03-08 济南浪潮高新科技投资发展有限公司 A kind of more activation systems and method with safety certification based on embedded Linux system
US10242187B1 (en) * 2016-09-14 2019-03-26 Symantec Corporation Systems and methods for providing integrated security management
US10269029B1 (en) 2013-06-25 2019-04-23 Amazon Technologies, Inc. Application monetization based on application and lifestyle fingerprinting
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
US20190354686A1 (en) * 2018-05-16 2019-11-21 Target Brands, Inc. Electronic security evaluator
US10867041B2 (en) 2013-07-30 2020-12-15 Palo Alto Networks, Inc. Static and dynamic security analysis of apps for mobile devices
US10956573B2 (en) 2018-06-29 2021-03-23 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11010474B2 (en) 2018-06-29 2021-05-18 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11087024B2 (en) 2016-01-29 2021-08-10 Samsung Electronics Co., Ltd. System and method to enable privacy-preserving real time services against inference attacks
US11196765B2 (en) 2019-09-13 2021-12-07 Palo Alto Networks, Inc. Simulating user interactions for malware analysis
US11259183B2 (en) 2015-05-01 2022-02-22 Lookout, Inc. Determining a security state designation for a computing device based on a source of software
US20220094716A1 (en) * 2013-10-18 2022-03-24 Nokia Technologies Oy Method and system for operating and monitoring permissions for applications in an electronic device

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957727A (en) * 2011-08-26 2013-03-06 腾讯科技(深圳)有限公司 Client side, server and friend feed prompting system and friend feed prompting method in SNS (social network service) network
JP5857636B2 (en) * 2011-11-02 2016-02-10 ソニー株式会社 Information processing apparatus, information processing method, and program
US9544212B2 (en) 2012-01-27 2017-01-10 Microsoft Technology Licensing, Llc Data usage profiles for users and applications
US9275227B2 (en) * 2012-04-05 2016-03-01 International Business Machines Corporation Policy driven administration of mobile applications
US11368760B2 (en) * 2012-08-17 2022-06-21 Flextronics Ap, Llc Applications generating statistics for user behavior
US8612470B1 (en) * 2012-12-28 2013-12-17 Dropbox, Inc. Application recommendation using stored files
KR20140106887A (en) * 2013-02-27 2014-09-04 삼성전자주식회사 A method for displaying program and an electronic device thereof
US9335818B2 (en) * 2013-03-15 2016-05-10 Pandora Media System and method of personalizing playlists using memory-based collaborative filtering
US9501762B2 (en) 2013-04-23 2016-11-22 Dropbox, Inc. Application recommendation using automatically synchronized shared folders
US9955286B2 (en) * 2013-05-08 2018-04-24 Natalya Segal Smart wearable devices and system therefor
WO2015042290A1 (en) * 2013-09-19 2015-03-26 Quixey, Inc. Identifying gaps in search results
US10021169B2 (en) * 2013-09-20 2018-07-10 Nuance Communications, Inc. Mobile application daily user engagement scores and user profiles
US9589024B2 (en) * 2013-09-27 2017-03-07 Intel Corporation Mechanism for facilitating dynamic and proactive data management for computing devices
US9336278B2 (en) * 2013-09-30 2016-05-10 Google Inc. User experience and user flows for third-party application recommendation in cloud storage systems
US9633081B1 (en) 2013-09-30 2017-04-25 Google Inc. Systems and methods for determining application installation likelihood based on user network characteristics
US9390141B2 (en) 2013-09-30 2016-07-12 Google Inc. Systems and methods for determining application installation likelihood based on probabilistic combination of subordinate methods
US9177255B1 (en) 2013-09-30 2015-11-03 Google Inc. Cloud systems and methods for determining the probability that a second application is installed based on installation characteristics
US11188543B2 (en) 2013-10-14 2021-11-30 International Business Machines Corporation Utilizing social information for recommending an application
CN104866505B (en) * 2014-02-25 2021-04-06 腾讯科技(深圳)有限公司 Application recommendation method and device
CN104603753B (en) * 2014-03-19 2018-10-19 华为技术有限公司 A kind of recommendation method, system and the server of application
WO2015167587A1 (en) * 2014-04-30 2015-11-05 Hewlett-Packard Development Company, L.P. Determining application deployment recommendations
US9536199B1 (en) 2014-06-09 2017-01-03 Google Inc. Recommendations based on device usage
WO2016000555A1 (en) * 2014-06-30 2016-01-07 北京奇虎科技有限公司 Methods and systems for recommending social network-based content and news
KR101682671B1 (en) * 2014-07-31 2016-12-06 엔에이치엔엔터테인먼트 주식회사 Service method and system for recommending post associated appstore with timeline
US9348571B2 (en) * 2014-08-25 2016-05-24 General Electric Company Method, device, and program storage device for autonomous software life cycle management
US9542451B2 (en) * 2014-09-05 2017-01-10 Google Inc. Mobile application search ranking
US9070088B1 (en) 2014-09-16 2015-06-30 Trooly Inc. Determining trustworthiness and compatibility of a person
CN104298522B (en) * 2014-09-22 2018-08-31 联想(北京)有限公司 A kind of information processing method and the first electronic equipment
US20160124959A1 (en) * 2014-10-31 2016-05-05 Google Inc. System and method to recommend a bundle of items based on item/user tagging and co-install graph
US20160162148A1 (en) * 2014-12-04 2016-06-09 Google Inc. Application launching and switching interface
US9509857B2 (en) * 2014-12-10 2016-11-29 Google Inc. Mobile device push notification using mobile application usage history
US10332184B2 (en) * 2014-12-15 2019-06-25 Samsung Electronics Co., Ltd. Personalized application recommendations
US20160188169A1 (en) * 2014-12-31 2016-06-30 TCL Research America Inc. Least touch mobile device
US11373212B2 (en) * 2015-03-03 2022-06-28 Zeta Global Corp. System and method for data enrichment for requests for advertising on mobile devices
RU2592460C1 (en) * 2015-03-31 2016-07-20 Закрытое акционерное общество "Лаборатория Касперского" System and method of controlling privileges of consumers of personal data
US20170085677A1 (en) * 2015-09-18 2017-03-23 Quixey, Inc. Recommending Applications
US20170147581A1 (en) * 2015-11-24 2017-05-25 Facebook, Inc. Systems and methods for sharing content
CN106170791A (en) * 2016-01-20 2016-11-30 马岩 A kind of information classification approach based on app and system
US10536540B2 (en) * 2016-05-02 2020-01-14 Microsoft Technology Licensing, Llc Computing system architecture for producing file analytics
US20170353603A1 (en) * 2016-06-03 2017-12-07 Facebook, Inc. Recommending applications using social networking information
CN106682056B (en) * 2016-07-15 2018-11-20 腾讯科技(深圳)有限公司 The determination method, apparatus and system of correlation between different application software
US9947037B2 (en) 2016-09-14 2018-04-17 International Business Machines Corporation Software recommendation services for targeted user groups
US10262157B2 (en) * 2016-09-28 2019-04-16 International Business Machines Corporation Application recommendation based on permissions
US11269961B2 (en) 2016-10-28 2022-03-08 Microsoft Technology Licensing, Llc Systems and methods for App query driven results
US10169576B2 (en) * 2016-11-15 2019-01-01 International Business Machines Corporation Malware collusion detection
US11423109B2 (en) * 2017-08-31 2022-08-23 Shenzhen Heytap Technology Corp., Ltd. Information processing method, server and computer program product
CN107707642B (en) * 2017-09-22 2019-08-13 Oppo广东移动通信有限公司 Brush amount terminal determines method and device
CN107908686B (en) * 2017-10-31 2020-01-14 Oppo广东移动通信有限公司 Information pushing method and device, server and readable storage medium
US11410075B2 (en) * 2018-01-15 2022-08-09 Microsoft Technology Licensing, Llc Contextually-aware recommendations for assisting users with task completion
US10824547B2 (en) * 2018-09-10 2020-11-03 Servicenow, Inc. Automated certification testing for application deployment
EP3629159A1 (en) * 2018-09-28 2020-04-01 Telefonica Digital España, S.L.U. Risk computation for software extensions
US11144425B1 (en) * 2019-06-28 2021-10-12 NortonLifeLock Inc. Systems and methods for crowdsourced application advisory
US20210142334A1 (en) * 2019-11-08 2021-05-13 Ul Llc Technologies for using machine learning to determine product certification eligibility
US11474806B2 (en) 2019-11-19 2022-10-18 Salesforce.Com, Inc. Automatically producing and code-signing binaries
US11227323B2 (en) * 2020-03-30 2022-01-18 EMC IP Holding Company LLC Smart software recommendation using an application network
CN111737576B (en) * 2020-06-22 2023-09-19 中国银行股份有限公司 Application function personalized recommendation method and device
WO2022052038A1 (en) * 2020-09-11 2022-03-17 Citrix Systems, Inc. Systems and methods for application access
WO2023096501A1 (en) * 2021-11-24 2023-06-01 Xero Limited Methods and systems for building and/or using a graph data structure
KR20240038404A (en) * 2022-09-16 2024-03-25 삼성전자주식회사 Electronic apparatus displaying icons and control method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120072991A1 (en) * 2010-09-22 2012-03-22 Rohyt Belani Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120317638A1 (en) * 2011-06-07 2012-12-13 Research In Motion Limited Method and devices for managing permission requests to allow access to a computing resource

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5813009A (en) * 1995-07-28 1998-09-22 Univirtual Corp. Computer based records management system method
US6772139B1 (en) * 1998-10-05 2004-08-03 Smith, Iii Julius O. Method and apparatus for facilitating use of hypertext links on the world wide web
JP4238411B2 (en) * 1999-04-12 2009-03-18 ソニー株式会社 Information processing system
US7089552B2 (en) * 2002-08-29 2006-08-08 Sun Microsystems, Inc. System and method for verifying installed software
US8676830B2 (en) * 2004-03-04 2014-03-18 Yahoo! Inc. Keyword recommendation for internet search engines
KR100835631B1 (en) * 2004-07-20 2008-06-09 후지쯔 가부시끼가이샤 Electronic document management system
EP1920393A2 (en) * 2005-07-22 2008-05-14 Yogesh Chunilal Rathod Universal knowledge management and desktop search system
WO2007076453A1 (en) * 2005-12-21 2007-07-05 Decernis, Llc Document validation system and method
US7769712B2 (en) * 2005-12-21 2010-08-03 Decernis, Llc Document validation system and method
US7963839B2 (en) * 2006-09-19 2011-06-21 Mudalla Technology, Inc. Regulated gaming exchange
JP4371327B2 (en) * 2007-10-24 2009-11-25 富士通株式会社 Application processing program, application processing method, mediation server device, and mediation server system
US7904530B2 (en) * 2008-01-29 2011-03-08 Palo Alto Research Center Incorporated Method and apparatus for automatically incorporating hypothetical context information into recommendation queries
US8763071B2 (en) * 2008-07-24 2014-06-24 Zscaler, Inc. Systems and methods for mobile application security classification and enforcement
US8881128B2 (en) * 2010-02-25 2014-11-04 Blackberry Limited Method and system for acquisition of an application for installation at a communication device
US20120072283A1 (en) * 2010-09-16 2012-03-22 Mobilmeme, Inc. Mobile application recommendation system and method
EP2633487B1 (en) * 2010-10-29 2020-11-25 Orange Method and system to recommend applications from an application market place to a new device
US8468164B1 (en) * 2011-03-09 2013-06-18 Amazon Technologies, Inc. Personalized recommendations based on related users
EP2712442A1 (en) * 2011-05-09 2014-04-02 Google, Inc. Recommending applications for mobile devices based on installation histories
US9781540B2 (en) * 2011-07-07 2017-10-03 Qualcomm Incorporated Application relevance determination based on social context

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120072991A1 (en) * 2010-09-22 2012-03-22 Rohyt Belani Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120317638A1 (en) * 2011-06-07 2012-12-13 Research In Motion Limited Method and devices for managing permission requests to allow access to a computing resource

Cited By (82)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9762596B2 (en) 2011-05-24 2017-09-12 Palo Alto Networks, Inc. Heuristic botnet detection
US9223961B1 (en) * 2012-04-04 2015-12-29 Symantec Corporation Systems and methods for performing security analyses of applications configured for cloud-based platforms
US8918387B1 (en) 2012-04-04 2014-12-23 Symantec Corporation Systems and methods for classifying applications configured for cloud-based platforms
US9940454B2 (en) 2012-06-05 2018-04-10 Lookout, Inc. Determining source of side-loaded software using signature of authorship
US9215074B2 (en) 2012-06-05 2015-12-15 Lookout, Inc. Expressing intent to control behavior of application components
US10256979B2 (en) 2012-06-05 2019-04-09 Lookout, Inc. Assessing application authenticity and performing an action in response to an evaluation result
US20150172146A1 (en) * 2012-06-05 2015-06-18 Lookout, Inc. Identifying manner of usage for software assets in applications on user devices
US20150169877A1 (en) * 2012-06-05 2015-06-18 Lookout, Inc. Monitoring for fraudulent or harmful behavior in applications being installed on user devices
US9407443B2 (en) 2012-06-05 2016-08-02 Lookout, Inc. Component analysis of software applications on computing devices
US11336458B2 (en) * 2012-06-05 2022-05-17 Lookout, Inc. Evaluating authenticity of applications based on assessing user device context for increased security
US9589129B2 (en) 2012-06-05 2017-03-07 Lookout, Inc. Determining source of side-loaded software
US9992025B2 (en) 2012-06-05 2018-06-05 Lookout, Inc. Monitoring installed applications on user devices
US10419222B2 (en) * 2012-06-05 2019-09-17 Lookout, Inc. Monitoring for fraudulent or harmful behavior in applications being installed on user devices
US9990481B2 (en) 2012-07-23 2018-06-05 Amazon Technologies, Inc. Behavior-based identity system
US9942251B1 (en) * 2012-09-28 2018-04-10 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US9762608B1 (en) * 2012-09-28 2017-09-12 Palo Alto Networks, Inc. Detecting malware
US11157616B2 (en) 2012-10-19 2021-10-26 Mcafee, Llc Mobile application management
US10114950B2 (en) 2012-10-19 2018-10-30 McAFEE, LLC. Mobile application management
US9665465B1 (en) * 2012-11-19 2017-05-30 Amazon Technologies, Inc. Automated determination of application permissions
US9208215B2 (en) 2012-12-27 2015-12-08 Lookout, Inc. User classification based on data gathered from a computing device
US20140245448A1 (en) * 2013-02-27 2014-08-28 Electronics And Telecommunications Research Institute Apparatus and method for analyzing permission of application for mobile devices and detecting risk
US9141801B2 (en) * 2013-02-27 2015-09-22 Electronics And Telecommunications Research Institute Apparatus and method for analyzing permission of application for mobile devices and detecting risk
US9323511B1 (en) * 2013-02-28 2016-04-26 Google Inc. Splitting application permissions on devices
US20160012221A1 (en) * 2013-03-05 2016-01-14 Telecom Italia S.P.A. Method For Measuring and Monitoring the Access Levels to Personal Data Generated by Resources of a User Device
US9824210B2 (en) * 2013-03-05 2017-11-21 Telecom Italia S.P.A. Method for measuring and monitoring the access levels to personal data generated by resources of a user device
US20140280098A1 (en) * 2013-03-15 2014-09-18 Quixey, Inc. Performing application search based on application gaminess
US20160055336A1 (en) * 2013-03-28 2016-02-25 Mwstory Co., Ltd. System for preventing malicious intrusion based on smart device and method thereof
US9875356B2 (en) * 2013-03-28 2018-01-23 Mwstory Co., Ltd. System for preventing malicious intrusion based on smart device and method thereof
US10148667B2 (en) 2013-06-17 2018-12-04 Appthority, Inc. Automated classification of applications for mobile devices
US9639694B2 (en) * 2013-06-17 2017-05-02 Appthority, Inc. Automated classification of applications for mobile devices
US20160012220A1 (en) * 2013-06-17 2016-01-14 Appthority, Inc. Automated classification of applications for mobile devices
US9152694B1 (en) * 2013-06-17 2015-10-06 Appthority, Inc. Automated classification of applications for mobile devices
US10269029B1 (en) 2013-06-25 2019-04-23 Amazon Technologies, Inc. Application monetization based on application and lifestyle fingerprinting
US9652617B1 (en) * 2013-06-25 2017-05-16 Amazon Technologies, Inc. Analyzing security of applications
US9921827B1 (en) 2013-06-25 2018-03-20 Amazon Technologies, Inc. Developing versions of applications based on application fingerprinting
US10037548B2 (en) 2013-06-25 2018-07-31 Amazon Technologies, Inc. Application recommendations based on application and lifestyle fingerprinting
US10678918B1 (en) 2013-07-30 2020-06-09 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US9804869B1 (en) 2013-07-30 2017-10-31 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using dynamic patching
US10867041B2 (en) 2013-07-30 2020-12-15 Palo Alto Networks, Inc. Static and dynamic security analysis of apps for mobile devices
US10019575B1 (en) 2013-07-30 2018-07-10 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US20150067830A1 (en) * 2013-08-28 2015-03-05 Amazon Technologies, Inc. Dynamic application security verification
US9591003B2 (en) * 2013-08-28 2017-03-07 Amazon Technologies, Inc. Dynamic application security verification
US20170132414A1 (en) * 2013-08-28 2017-05-11 Amazon Technologies, Inc. Dynamic Application Security Verification
US11689577B2 (en) * 2013-10-18 2023-06-27 Nokia Technologies Oy Method and system for operating and monitoring permissions for applications in an electronic device
US20220094716A1 (en) * 2013-10-18 2022-03-24 Nokia Technologies Oy Method and system for operating and monitoring permissions for applications in an electronic device
EP2884784A1 (en) * 2013-12-11 2015-06-17 Alcatel Lucent Privacy ratings for applications of mobile terminals
US10204225B2 (en) * 2014-05-15 2019-02-12 Northwestern University System and method for determining description-to-permission fidelity in mobile applications
US20150332049A1 (en) * 2014-05-15 2015-11-19 Northwestern University System and method for determining description-to-permission fidelity in mobile applications
US10204221B2 (en) 2014-07-14 2019-02-12 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US10515210B2 (en) 2014-07-14 2019-12-24 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US9596256B1 (en) * 2014-07-23 2017-03-14 Lookingglass Cyber Solutions, Inc. Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface
US10511621B1 (en) 2014-07-23 2019-12-17 Lookingglass Cyber Solutions, Inc. Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface
US20160110543A1 (en) * 2014-10-21 2016-04-21 Electronics And Telecommunications Research Institute Apparatus and method for detecting malicious application based on visualization similarity
US9183383B1 (en) * 2014-12-05 2015-11-10 AO Kaspersky Lab System and method of limiting the operation of trusted applications in presence of suspicious programs
CN104462971A (en) * 2014-12-17 2015-03-25 北京奇虎科技有限公司 Malicious application program recognition method and device according to application program declaration characteristics
US10846404B1 (en) 2014-12-18 2020-11-24 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US11036859B2 (en) 2014-12-18 2021-06-15 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US9805193B1 (en) 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US10152597B1 (en) 2014-12-18 2018-12-11 Palo Alto Networks, Inc. Deduplicating malware
US9626515B2 (en) 2014-12-30 2017-04-18 Samsung Electronics Co., Ltd. Electronic system with risk presentation mechanism and method of operation thereof
WO2016108378A1 (en) * 2014-12-30 2016-07-07 Samsung Electronics Co., Ltd. Electronic system with risk presentation mechanism and method of operation thereof
US11259183B2 (en) 2015-05-01 2022-02-22 Lookout, Inc. Determining a security state designation for a computing device based on a source of software
US10114944B1 (en) * 2015-11-12 2018-10-30 Symantec Corporation Systems and methods for classifying permissions on mobile devices
US11087024B2 (en) 2016-01-29 2021-08-10 Samsung Electronics Co., Ltd. System and method to enable privacy-preserving real time services against inference attacks
US20170372066A1 (en) * 2016-06-28 2017-12-28 International Business Machines Corporation Detecting harmful applications prior to installation on a user device
US10248788B2 (en) * 2016-06-28 2019-04-02 International Business Machines Corporation Detecting harmful applications prior to installation on a user device
US10621333B2 (en) * 2016-08-08 2020-04-14 International Business Machines Corporation Install-time security analysis of mobile applications
US20180039774A1 (en) * 2016-08-08 2018-02-08 International Business Machines Corporation Install-Time Security Analysis of Mobile Applications
US10242187B1 (en) * 2016-09-14 2019-03-26 Symantec Corporation Systems and methods for providing integrated security management
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
US11038876B2 (en) 2017-06-09 2021-06-15 Lookout, Inc. Managing access to services based on fingerprint matching
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
US10915638B2 (en) * 2018-05-16 2021-02-09 Target Brands Inc. Electronic security evaluator
US20190354686A1 (en) * 2018-05-16 2019-11-21 Target Brands, Inc. Electronic security evaluator
US10956573B2 (en) 2018-06-29 2021-03-23 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11604878B2 (en) 2018-06-29 2023-03-14 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11620383B2 (en) 2018-06-29 2023-04-04 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11010474B2 (en) 2018-06-29 2021-05-18 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11960605B2 (en) 2018-06-29 2024-04-16 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
CN109445874A (en) * 2018-11-15 2019-03-08 济南浪潮高新科技投资发展有限公司 A kind of more activation systems and method with safety certification based on embedded Linux system
US11196765B2 (en) 2019-09-13 2021-12-07 Palo Alto Networks, Inc. Simulating user interactions for malware analysis
US11706251B2 (en) 2019-09-13 2023-07-18 Palo Alto Networks, Inc. Simulating user interactions for malware analysis

Also Published As

Publication number Publication date
US9213729B2 (en) 2015-12-15
US9020925B2 (en) 2015-04-28
US20130185292A1 (en) 2013-07-18
US20140019456A1 (en) 2014-01-16
US9063964B2 (en) 2015-06-23

Similar Documents

Publication Publication Date Title
US9063964B2 (en) Detecting application harmful behavior and grading application risks for mobile devices
Gamba et al. An analysis of pre-installed android software
US11336458B2 (en) Evaluating authenticity of applications based on assessing user device context for increased security
US11677764B2 (en) Automated malware family signature generation
US9930071B2 (en) System and methods for secure utilization of attestation in policy-based decision making for mobile device management and security
Mylonas et al. Assessing privacy risks in android: A user-centric approach
US9268946B2 (en) Quantifying the risks of applications for mobile devices
US8474004B2 (en) System for implementing security on telecommunications terminals
JP6019484B2 (en) Systems and methods for server-bound malware prevention
US8984628B2 (en) System and method for adverse mobile application identification
US9235704B2 (en) System and method for a scanning API
Calciati et al. Automatically granted permissions in Android apps: An empirical study on their prevalence and on the potential threats for privacy
Shrivastava et al. Privacy analysis of android applications: State-of-art and literary assessment
Mylonas et al. A secure smartphone applications roll-out scheme
Zheng et al. Security analysis of modern mission critical android mobile applications
Ito et al. Detecting privacy information abuse by android apps from API call logs
Sikder et al. A survey on android security: development and deployment hindrance and best practices
Jain Android security: Permission based attacks
Montealegre et al. Security vulnerabilities in android applications
Lee et al. Privacy preserving collaboration in bring-your-own-apps
Mangset Analysis of mobile application's compliance with the general data protection regulation (GDPR)
Nwobodo Exploring Optimal Subsets of Statically Registered Broadcast Receivers and Permissions for the Prediction of Malicious Behavior in Android Applications
Weissbacher Measurement and Detection of Security Properties of Client-Side Web Applications
Taylor Security and privacy in app ecosystems
Saracino et al. Risk analysis of Android applications: A user-centric solution Gianluca Dini, Fabio Martinelli, Ilaria Matteucci, Marinella Petrocchi

Legal Events

Date Code Title Description
AS Assignment

Owner name: TRUSTGO MOBILE, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, XUYANG;BAO, CHENFU;WANG, LEI;SIGNING DATES FROM 20130116 TO 20130117;REEL/FRAME:030144/0578

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: BAIDU ONLINE NETWORK TECHNOLOGY (BEIJING) CO., LTD., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TRUSTGO MOBILE, INC.;REEL/FRAME:059903/0790

Effective date: 20211230

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8